OSDOCS-5333: Adding AES-GCM encryption option

bergerhoffer · bergerhoffer · commit d83a123f3da8 · 2023-03-28T09:42:36.000-04:00
diff --git a/modules/about-etcd-encryption.adoc b/modules/about-etcd-encryption.adoc
@@ -17,7 +17,7 @@ When you enable etcd encryption, the following OpenShift API server and Kubernet
 * OAuth access tokens
 * OAuth authorize tokens
 
-When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys to restore from an etcd backup.
+When you enable etcd encryption, encryption keys are created. You must have these keys to restore from an etcd backup.
 
 [NOTE]
 ====
diff --git a/modules/enabling-etcd-encryption.adoc b/modules/enabling-etcd-encryption.adoc
@@ -27,15 +27,15 @@ It is not recommended to take a backup of etcd until the initial encryption proc
 $ oc edit apiserver
 ----
 
-. Set the `encryption` field type to `aescbc`:
+. Set the `encryption` field to `aescbc` or `aesgcm`:
 +
 [source,yaml]
 ----
 spec:
   encryption:
     type: aescbc <1>
 ----
-<1> The `aescbc` type means that AES-CBC with PKCS#7 padding and a 32 byte key is used to perform the encryption.
+<1> Set to `aescbc` for AES-CBC encryption or `aesgcm` for AES-GCM encryption.
 
 . Save the file to apply the changes.
 +
diff --git a/modules/etcd-encryption-types.adoc b/modules/etcd-encryption-types.adoc
@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * security/encrypting-etcd.adoc
+// * post_installation_configuration/cluster-tasks.adoc
+
+:_content-type: CONCEPT
+[id="etcd-encryption-types_{context}"]
+= Supported encryption types
+
+The following encryption types are supported for encrypting etcd data in {product-title}:
+
+AES-CBC:: Uses AES-CBC with PKCS#7 padding and a 32 byte key to perform the encryption. The encryption keys are rotated weekly.
+
+AES-GCM:: Uses AES-GCM with a random nonce and a 32 byte key to perform the encryption. The encryption keys are rotated weekly.
diff --git a/post_installation_configuration/cluster-tasks.adoc b/post_installation_configuration/cluster-tasks.adoc
@@ -654,6 +654,7 @@ include::modules/nodes-cluster-enabling-features-cli.adoc[leveloffset=+2]
 Back up etcd, enable or disable etcd encryption, or defragment etcd data.
 
 include::modules/about-etcd-encryption.adoc[leveloffset=+2]
+include::modules/etcd-encryption-types.adoc[leveloffset=+2]
 include::modules/enabling-etcd-encryption.adoc[leveloffset=+2]
 include::modules/disabling-etcd-encryption.adoc[leveloffset=+2]
 include::modules/backup-etcd.adoc[leveloffset=+2]
diff --git a/security/encrypting-etcd.adoc b/security/encrypting-etcd.adoc
@@ -9,6 +9,9 @@ toc::[]
 // About etcd encryption
 include::modules/about-etcd-encryption.adoc[leveloffset=+1]
 
+// Supported encryption types
+include::modules/etcd-encryption-types.adoc[leveloffset=+1]
+
 // Enabling etcd encryption
 include::modules/enabling-etcd-encryption.adoc[leveloffset=+1]
 
